🐛 Bug Report: SMTP Password is leaked in clear text to admins #159

New Issue

Closed

opened 2025-10-09 16:29:59 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-09 16:29:59 +03:00

Owner

Copy Link

Originally created by @jeboehm on GitHub.

Reproduction steps

• Set UI_CONFIG_DISABLED=true in env
• Set smtp credentials, especially SMTP_PASSWORD in env
• Go to application configuration, expand email
• Change the password fields type from password to text or just check its value

Expected behavior

It is imperative that passwords remain undisclosed to all users, regardless of their administrative privileges.

Actual Behavior

The password set via SMTP_PASSWORD is leaked to the admin user.

Version and Environment

v1.4.1

Log Output

No response

Originally created by @jeboehm on GitHub. ### Reproduction steps - Set `UI_CONFIG_DISABLED=true` in env - Set smtp credentials, especially `SMTP_PASSWORD` in env - Go to application configuration, expand email - Change the password fields type from `password` to `text` or just check its value ### Expected behavior It is imperative that passwords remain undisclosed to all users, regardless of their administrative privileges. ### Actual Behavior The password set via `SMTP_PASSWORD` is leaked to the admin user. ### Version and Environment v1.4.1 ### Log Output _No response_

OVERLORD added the bug label 2025-10-09 16:29:59 +03:00

OVERLORD closed this issue 2025-10-09 16:30:00 +03:00

OVERLORD commented 2025-10-09 16:30:02 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Thanks, this should be fixed in ba61cdba4e and will be available in the next release.

@stonith404 commented on GitHub: Thanks, this should be fixed in ba61cdba4eb3d5659f3ae6b6c21249985c0aa630 and will be available in the next release.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/restrict-email-one-time-access

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#159